QEHSQEHS
Book a demo

Security & compliance

Security at QEHS

What we build, what we publish, what we plan. Every claim on this page reflects actual shipped controls or documented in-progress work, nothing is overstated.

SubprocessorsData residencyStatus

Section 1

Controls live today

These are shipped capabilities, not roadmap items. Each is verifiable in product or code.

  • Encryption at rest, AES-256 with KMS-backed envelope keys
  • Encryption in transit, TLS 1.3, HSTS preloaded, weak ciphers disabled
  • Tenant-isolated data model, every query gated through withTenant()
  • Module-scoped RBAC + location-scoped RBAC
  • SSO (SAML + OIDC) and SCIM 2.0 provisioning
  • MFA, TOTP + WebAuthn; per-tenant policy enforcement
  • CIDR-level IP allowlist (self-service, tenant-admin)
  • GDPR Article 17 deletion workflow, subject request → admin review → purge worker
  • Append-only audit log, every create, update, delete, access, and permission change
  • Automated daily backups with point-in-time recovery (35-day window)
  • SigNoz observability, self-hosted traces, metrics, and logs; no customer data sent to third-party APM
  • Automated dependency CVE scanning (pnpm audit) on every Jenkins build; high findings block deploy

Section 2

Policies published

14 ISMS security policies aligned to ISO 27001:2022 Annex A controls (audit planned). Published at /docs/security/policies/.

Information Security Policy
Access Control Policy
Cryptographic Controls Policy
Data Classification Policy
Incident Response Plan
Business Continuity & DR Plan
Backup & Recovery Policy
Change Management Policy
Secure SDLC Policy
Vulnerability Management Policy
Vendor Management Policy
Risk Assessment Policy
Onboarding & Offboarding Procedure
Code of Conduct

Full policy documents available via the compliance document library once audit work is complete. Copies available to enterprise prospects on request.

Section 3

Active subprocessors

All subprocessors with current active status. Full list including planned processors at /trust/subprocessors. Change notifications sent 30 days in advance.

Stripe

Payment processing and subscription billing

Ireland and United States (global payment network)

Hostinger

Virtual private server hosting (production application + database) and managed mailbox

European Union (Lithuania) and United States

Postmark (Wildbit / ActiveCampaign)

Transactional email delivery (account verification, password reset, notifications)

United States

Amazon Web Services (S3)

Object storage for file attachments and exports

United States (EU-region option planned for Enterprise)

Spaceship

Domain registrar and authoritative DNS

United States

SigNoz (self-hosted)

Application observability — traces, logs, metrics. Operated by QEHS on its own infrastructure.

Same infrastructure as the production application (United States at launch)

Chatwoot (self-hosted)

Customer support inbox. Operated by QEHS on its own infrastructure.

Same infrastructure as the production application (United States at launch)

Cal.com (self-hosted)

Sales-call scheduling. Operated by QEHS on its own infrastructure.

Same infrastructure as the production application (United States at launch)

Section 4

Audit roadmap

What we are working toward, honest about what is planned versus what is complete.

  • SOC 2 Type IAudit planned Q3 2026. Security policies published; controls implementation in progress.
  • ISO 27001 (audit planned)ISMS documentation in progress. Certification to follow SOC 2 Type I completion.
  • Penetration testThird-party penetration test engagement planned before SOC 2 fieldwork.
  • HIPAANot currently in scope. Contact us if your use case requires HIPAA controls or a BAA, we will discuss requirements and roadmap.

Section 5

Security contact

Security questions or concerns: security@qehsethos.com

Found a vulnerability? Read our responsible disclosure policy. We respond within 2 business days and do not pursue good-faith researchers.

Machine-readable contact: /.well-known/security.txt